Sync caracal antelope #1235

Alex-Welsh · 2024-08-20T13:43:15Z

No description provided.

A similar change was made for Ubuntu systems in #1119, but it did not apply to Rocky 9 systems. This changes brings the two into line. (cherry picked from commit ef96aa2)

These are causing changes to docker overlay filesystems with possible unintended consequences. It is also really slow to loop through so many files in ansible. (cherry picked from commit 0d1dfe2)

zed: yoga merge

By default the 'Run tempest' task has no_log set to avoid revealing sensitive data. This does not apply in CI, and makes it difficult to debug failures. (cherry picked from commit 8384dc4)

CI: Allow logging of Rally/Tempest

Fixes CVE-2024-40767 [1] with updated container images for Nova services. [1] https://security.openstack.org/ossa/OSSA-2024-002.html

CI: Bump AIO root volume size to 40GB

Fix CVE-2024-40767

This is necessary to address OSSA-2024-002 [1] until patches are merged upstream. [1] https://security.openstack.org/ossa/OSSA-2024-002.html

Build nova from our fork

molly-guard can be used to prevent accidental reboots, prompting the user to input the system's hostname before allowing a reboot. This does not work well with automation, however. This change adds the internal reboot executable within molly-guard to the search path to avoid this issue.

yoga: Fix reboot hang on systems with molly-guard, add timeout variable

These can be used to enter and exit maintenance for Ceph hosts.

yoga: Stop changing permissions on files in CIS

If we have the CIS hardening hook enabled and run a command such as the following: kayobe overcloud host configure -t foo where 'cis' is not in the specified tags, we see the following error: PLAY [Security hardening] ***************************************** TASK [include_role : ansible-lockdown.rhel9_cis] ****************** fatal: [controller-01]: FAILED! => msg: |- The conditional check 'ansible_facts.os_family == 'RedHat' and ansible_facts.distribution_major_version == '9'' failed. The error was: error while evaluating conditional (ansible_facts.os_family == 'RedHat' and ansible_facts.distribution_major_version == '9'): 'dict object' has no attribute 'os_family'. 'dict object' has no attribute 'os_family' The error appears to be in 'etc/kayobe/ansible/cis.yml': line 35, column 7, but may be elsewhere in the file depending on the exact syntax problem. The offending line appears to be: - include_role: ^ here This is because the include_role task has the 'always' tag, so runs despite no facts having been gathered. The always tag is not required for this task - specifying the 'cis' tag causes the role to be included. This change fixes the issue by removing the always tags from these tasks.

Defining set of special characters to omit "`" and "'" which leads to issues More description: #1226

CIS: Remove always tag from include_role tasks

Allow reboot playbook to run with bootstrap user

Fixing wazuh password generation

Make linter happy

2023.1: zed merge

2023.1: Bump Ceph collection, add Ceph maintenance playbooks

Add RabbitMQ Quorum queue migration playbook

…al-antelope

markgoddard and others added 30 commits July 23, 2024 09:03

Stop changing permissions on files on Rocky 9

4dc1926

A similar change was made for Ubuntu systems in #1119, but it did not apply to Rocky 9 systems. This changes brings the two into line. (cherry picked from commit ef96aa2)

Stop changing permissions on files (#1119)

09d226c

These are causing changes to docker overlay filesystems with possible unintended consequences. It is also really slow to loop through so many files in ansible. (cherry picked from commit 0d1dfe2)

Merge pull request #1189 from stackhpc/zed-yoga-merge

67530fd

zed: yoga merge

CI: Allow logging of Rally/Tempest

376928e

By default the 'Run tempest' task has no_log set to avoid revealing sensitive data. This does not apply in CI, and makes it difficult to debug failures. (cherry picked from commit 8384dc4)

Merge pull request #1193 from stackhpc/rally-logging

1a1210c

CI: Allow logging of Rally/Tempest

Fix CVE-2024-40767

d750747

Fixes CVE-2024-40767 [1] with updated container images for Nova services. [1] https://security.openstack.org/ossa/OSSA-2024-002.html

CI: Bump AIO root volume size to 40GB

5b1f040

Merge pull request #1195 from stackhpc/yoga-bump=aio-disk

cdfad6a

CI: Bump AIO root volume size to 40GB

Merge branch 'stackhpc/yoga' into yoga-ossa-2024-002

41812df

Merge pull request #1191 from stackhpc/yoga-ossa-2024-002

e25cc4c

Fix CVE-2024-40767

Build nova from our fork

97c3d43

This is necessary to address OSSA-2024-002 [1] until patches are merged upstream. [1] https://security.openstack.org/ossa/OSSA-2024-002.html

Merge pull request #1200 from stackhpc/zed-nova

41936eb

Build nova from our fork

Add reboot timeout to reboot playbook

382f735

Merge pull request #1209 from stackhpc/yoga-molly-guard

9b9971d

yoga: Fix reboot hang on systems with molly-guard, add timeout variable

Add ceph-{enter,exit}-maintenance.yml playbooks

adfb56a

These can be used to enter and exit maintenance for Ceph hosts.

Merge pull request #1180 from stackhpc/yoga-backports

f8ed8c1

yoga: Stop changing permissions on files in CIS

Make linter happy

e58e4b6

Add RabbitMQ Quorum queue migration playbook

be31d10

Explicitly set RabbitMQ queue types in AIO

4e5e88d

Allow reboot playbook to run with bootstrap user

acc08a3

Fixing wazuh password generation.

2f7f5f9

Defining set of special characters to omit "`" and "'" which leads to issues More description: #1226

Merge pull request #1220 from stackhpc/yoga-cis-no-always

2aa9d60

CIS: Remove always tag from include_role tasks

Fix rabbit migration playbook

ad8aa2a

Merge pull request #1221 from stackhpc/reboot

d76ba77

Allow reboot playbook to run with bootstrap user

Merge pull request #1227 from stackhpc/wazuh_password_gen_fix

c35a1d2

Fixing wazuh password generation

Merge pull request #1225 from stackhpc/make-linter-happy

b468bbe

Make linter happy

Merge stackhpc/yoga into stackhpc/zed

07fdce6

Merge stackhpc/zed into stackhpc/2023.1

b300dd1

markgoddard and others added 6 commits August 16, 2024 17:07

Merge pull request #1230 from stackhpc/2023.1-zed-merge

f30b309

2023.1: zed merge

Refactor RabbitMQ migration playbook into script

eedc6fa

Merge branch 'stackhpc/2023.1' into rabbit-upgrade

5c5afa4

Address RabbitMQ quorum PR nits

9cfefa6

Merge pull request #1219 from stackhpc/2023.1-ceph-maintenance

dcea903

2023.1: Bump Ceph collection, add Ceph maintenance playbooks

Merge pull request #1224 from stackhpc/rabbit-upgrade

6281412

Add RabbitMQ Quorum queue migration playbook

Alex-Welsh requested a review from a team as a code owner August 20, 2024 13:43

Alex-Welsh force-pushed the sync-caracal-antelope branch 2 times, most recently from 679edee to fa2995e Compare August 20, 2024 13:47

Merge remote-tracking branch 'origin/stackhpc/2023.1' into sync-carac…

fa2995e

…al-antelope

markgoddard approved these changes Aug 20, 2024

View reviewed changes

markgoddard merged commit 01f7e23 into stackhpc/2024.1 Aug 20, 2024
4 of 12 checks passed

markgoddard deleted the sync-caracal-antelope branch August 20, 2024 14:11

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

Uh oh!

Sync caracal antelope #1235

Sync caracal antelope #1235

Uh oh!

Alex-Welsh commented Aug 20, 2024

Uh oh!

Uh oh!

Uh oh!

Sync caracal antelope #1235

Sync caracal antelope #1235

Uh oh!

Conversation

Alex-Welsh commented Aug 20, 2024

Uh oh!

Uh oh!

Uh oh!